[Nice] DTLS support with libnice

Youness Alaoui youness.alaoui at collabora.co.uk
Fri Aug 23 06:28:14 PDT 2013

Hi Rajarshi,

While you could theoretically access the socket directly, it would not be a good
thing to do because you would still be receiving STUN keep alive messages which
openssl wouldn't be able to parse as DTLS. libnice also has a mechanism for
detecting dropped connections, so if you hijack that, it might suddenly go to a
failed state. And most importantly, you don't really know which path is going to
be chosen, if it goes through a TURN relay, then there needs to be some
payloading of each message to tell the TURN server to which channel to send the
packets, or on reception, the TURN server will tell us where the packet is
actually coming from. If you just use SSL_write and it sends on the socket
directly, then it will break TURN support.

One possible solution could be for you to create a localhost socket and use
openssl on it, when you SSL_Write to it, you'd have another thread reading on
the other end whatever openssl sent over that socket, and then you would
nice_agent_send it to the peer.. and when you receive data from the peer, you
could write it to the localhost socket, and let openssl receive and decode it.
It's not perfect, but it could be a quick and functional way of doing it, if
openssl API doesn't allow you to do DTLS without hooking directly into a socket.
Other possibility is to see if gnu-tls allows you to do it more easily without
that sort of hack.

Good luck,

On 08/20/2013 02:05 PM, Rajarshi Chaudhuri wrote:
> Thx Olivier for your reply. I guess based on our timeline - we need to do something similar and quick.
> - RCC
> -----Original Message-----
> From: Olivier Crête [mailto:olivier.crete at collabora.com] 
> Sent: Tuesday, August 20, 2013 10:37 AM
> To: Rajarshi Chaudhuri
> Cc: 'nice at lists.freedesktop.org'
> Subject: Re: [Nice] DTLS support with libnice
> On Tue, 2013-08-20 at 07:35 +0000, Rajarshi Chaudhuri wrote:
>> So my question - is  there a way to access the UDP sockets used by 
>> libnice so that we could set up DTLS [using open-ssl]. Note that, once 
>> DTLS handshake is completed, though the actual data is not sent as 
>> DTLS records with SRTP, the data may still need to be sent using
>> SSL_write() - see http://tools.ietf.org/html/rfc5764#section-5.1.1.
>> Also on receiving, as described in section 5.1.2 of the same RFC, we 
>> need to handle SRTP and DTLS messages, and the latter needs to be 
>> handled by open-ssl.
>> Is there other ways of supporting DTLS in libnice directly?
> The way DTLS should be done over libnice is to have a socket abstraction layer and them implement DTLS on top of that. I've done such an implementation in GLib [1][2][3], but it was not merged due to some very real concerns, I haven't had time to re-do it better, but hopefully we can get it done in the near future.
> So depending on what your timeline is you can either wait for us to do it or do something similar.
> [1] https://bugzilla.gnome.org/show_bug.cgi?id=697907
> [2] https://bugzilla.gnome.org/show_bug.cgi?id=697908
> [3] https://bugzilla.gnome.org/show_bug.cgi?id=697909
> --
> Olivier Crête
> olivier.crete at collabora.com
> _______________________________________________
> nice mailing list
> nice at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/nice

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/nice/attachments/20130823/bc258efe/attachment.pgp>

More information about the nice mailing list